1. Field of the Invention
The present invention relates to a digital signature providing method, and more particularly, to a system and method for providing a digital signature based on a mobile trusted module (MTM) which cause the MTM prepared in a mobile device to generate a keypad image in which buttons are irregularly arranged, an MTM table for converting keypad touch information into an actual value, and a terminal table for converting keypad image coordinates into an area, store keypad coordinate values input by a user and the number of touches made by the user based on the generated keypad image, MTM table, and terminal table, and verify whether an actual value converted according to the stored keypad coordinate values and number of touches is the same as a previously set password.
2. Discussion of Related Art
The recent explosive increase in the number of mobile terminals has led to an increasing number of monetary transactions performed through mobile terminals. As shopping, banking, etc. are enabled through mobiles terminals, a demand for improvement in the reliability and security of mobile electronic transactions is increasing.
For an electronic transaction involving a predetermined amount of money or more, an authorization certificate issued by an organization designated by the government, an Internet secure payment certificate issued by a payment service provider, etc. is used.
Public-key encryption is applied to such a certificate. Therefore, an encrypted private key of a user is decrypted using a certificate password input by the user, and the certificate bearing a digital signature is transmitted to a service provider using the decrypted private key, so that the reliability and security of the transaction may be ensured.
For this reason, it is the core of security of mobile electronic transactions to safely protect an encrypted private key of a user and a certificate password for decrypting the encrypted private key from hacking.
However, a certificate and an encrypted private key of a user are stored in an internal or external flash memory, and thus may easily leak out if a hacking application can access a file system using a vulnerability of the mobile terminal.
To solve this problem, a hardware security module (HSM) is used. An encrypted private key of a user stored in an HSM does not leak out and thus is safe.
However, a hacker may steal an HSM password and a certificate password input by a user using a message hooking application installed in a mobile terminal, and obtain a digital signature from the HSM.
Such a message hooking program may directly steal a key-input value using a key-input interrupt in a terminal having no key-input security function, or steal input information, which is obtained after an indirect key value, such as coordinate values, is converted into an actual key value, by memory hacking in a terminal having a key-input security function.
Therefore, a digital signature generated without interoperation of security functions between a hardware security module, such as an HSM, and an application using the hardware security module has poor security.